ctrl_alt_pasta Posted April 12, 2017 Report Share Posted April 12, 2017 After seeing a tweet from someone able to get a master password from a memory dump on Linux, I tried it my self and was able to get a password from a locked database. This is on Windows 10 running creators update. Here is a screenshot. 1 Link to comment Share on other sites More sharing options...
Iliyan Posted April 12, 2017 Report Share Posted April 12, 2017 Wow, this is pretty serious... Link to comment Share on other sites More sharing options...
Vikram Dabas Posted April 13, 2017 Report Share Posted April 13, 2017 Hi @ctrl_alt_pasta Thanks for writing in. We are aware of this issue, and are on it to fix it very soon. When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC. But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. Meanwhile, we request our beloved users to please bear with us. Link to comment Share on other sites More sharing options...
ctrl_alt_pasta Posted April 13, 2017 Author Report Share Posted April 13, 2017 4 hours ago, Vikram Dabas said: Hi @ctrl_alt_pasta Thanks for writing in. We are aware of this issue, and are on it to fix it very soon. When talking from the angle of severity of this issue it can be treated as a low severity for a normal user. Because to see a master password from core-dump, one need to have control over the system, and someone having that level of privilege (equivalent to admin rights), can circumvent every protection of any password manager by getting your master password through other means like key logging, replacing the whole binary with a fake one, etc. Eventually, a password manager can not offer that much security on a tampered or frail PC. But, I am not saying that we are not careful about the security of your data and master password. We are very concerned about it and a fix will be rolled out very soon. And as we've stated earlier, we are on path to refactor Enpass to make it more convenient with sturdiest level of security. Meanwhile, we request our beloved users to please bear with us. Thank you for the response. Link to comment Share on other sites More sharing options...
Anshu kumar Posted April 28, 2017 Report Share Posted April 28, 2017 Hi @ctrl_alt_pasta The issue was fixed in version 5.5.3. Cheers! 1 Link to comment Share on other sites More sharing options...
ussamkusser Posted May 1, 2017 Report Share Posted May 1, 2017 Hi Anshu kumar, nice to hear that this issue is fixed in version 5.5.3. But what is with the portable version 5.3.0. Does this portable-version have that issue too? And if when do you fix this security-bug? Link to comment Share on other sites More sharing options...
Anshu kumar Posted May 2, 2017 Report Share Posted May 2, 2017 Hi @ussamkusser Thanks for writing in. Yes, the portable version also had this issue but the good news is that it has already been fixed. An update of the portable version is already in the testing phase and will be available soon. Till then I request you to please bear with us. Link to comment Share on other sites More sharing options...
ussamkusser Posted May 4, 2017 Report Share Posted May 4, 2017 Hello @Anshu kum, thanks for your very fast response and the good news that a new portable version is coming soon 1 Link to comment Share on other sites More sharing options...
Recommended Posts